mirror of https://github.com/django/django.git
Removed Django 1.2 compatibility fallback for form wizard hash
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15951 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
25aaa359a2
commit
fa4bbfcbfb
|
@ -249,14 +249,6 @@ class WizardClass(wizard.FormWizard):
|
||||||
return http.HttpResponse(success_string)
|
return http.HttpResponse(success_string)
|
||||||
|
|
||||||
|
|
||||||
class UserSecuredWizardClass(WizardClass):
|
|
||||||
"""
|
|
||||||
Wizard with a custum security_hash method
|
|
||||||
"""
|
|
||||||
def security_hash(self, request, form):
|
|
||||||
return "123"
|
|
||||||
|
|
||||||
|
|
||||||
class DummyRequest(http.HttpRequest):
|
class DummyRequest(http.HttpRequest):
|
||||||
|
|
||||||
def __init__(self, POST=None):
|
def __init__(self, POST=None):
|
||||||
|
@ -310,36 +302,7 @@ class WizardTests(TestCase):
|
||||||
"wizard_step": "1"})
|
"wizard_step": "1"})
|
||||||
self.assertEqual(0, response.context['step0'])
|
self.assertEqual(0, response.context['step0'])
|
||||||
|
|
||||||
def test_good_hash_django12(self):
|
def test_good_hash(self):
|
||||||
"""
|
|
||||||
Form should advance if the hash is present and good, as calculated using
|
|
||||||
django 1.2 method.
|
|
||||||
"""
|
|
||||||
# We are hard-coding a hash value here, but that is OK, since we want to
|
|
||||||
# ensure that we don't accidentally change the algorithm.
|
|
||||||
data = {"0-field": "test",
|
|
||||||
"1-field": "test2",
|
|
||||||
"hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
|
|
||||||
"wizard_step": "1"}
|
|
||||||
response = self.client.post('/wizard/', data)
|
|
||||||
self.assertEqual(2, response.context['step0'])
|
|
||||||
|
|
||||||
def test_good_hash_django12_subclass(self):
|
|
||||||
"""
|
|
||||||
The Django 1.2 method of calulating hashes should *not* be used as a
|
|
||||||
fallback if the FormWizard subclass has provided their own method
|
|
||||||
of calculating a hash.
|
|
||||||
"""
|
|
||||||
# We are hard-coding a hash value here, but that is OK, since we want to
|
|
||||||
# ensure that we don't accidentally change the algorithm.
|
|
||||||
data = {"0-field": "test",
|
|
||||||
"1-field": "test2",
|
|
||||||
"hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
|
|
||||||
"wizard_step": "1"}
|
|
||||||
response = self.client.post('/wizard2/', data)
|
|
||||||
self.assertEqual(0, response.context['step0'])
|
|
||||||
|
|
||||||
def test_good_hash_current(self):
|
|
||||||
"""
|
"""
|
||||||
Form should advance if the hash is present and good, as calculated using
|
Form should advance if the hash is present and good, as calculated using
|
||||||
current method.
|
current method.
|
||||||
|
|
|
@ -11,7 +11,4 @@ urlpatterns = patterns('',
|
||||||
(r'^wizard/$', WizardClass([WizardPageOneForm,
|
(r'^wizard/$', WizardClass([WizardPageOneForm,
|
||||||
WizardPageTwoForm,
|
WizardPageTwoForm,
|
||||||
WizardPageThreeForm])),
|
WizardPageThreeForm])),
|
||||||
(r'^wizard2/$', UserSecuredWizardClass([WizardPageOneForm,
|
|
||||||
WizardPageTwoForm,
|
|
||||||
WizardPageThreeForm]))
|
|
||||||
)
|
)
|
||||||
|
|
|
@ -11,7 +11,7 @@ except ImportError:
|
||||||
|
|
||||||
from django import forms
|
from django import forms
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.contrib.formtools.utils import security_hash, form_hmac
|
from django.contrib.formtools.utils import form_hmac
|
||||||
from django.http import Http404
|
from django.http import Http404
|
||||||
from django.shortcuts import render_to_response
|
from django.shortcuts import render_to_response
|
||||||
from django.template.context import RequestContext
|
from django.template.context import RequestContext
|
||||||
|
@ -58,24 +58,7 @@ class FormWizard(object):
|
||||||
|
|
||||||
def _check_security_hash(self, token, request, form):
|
def _check_security_hash(self, token, request, form):
|
||||||
expected = self.security_hash(request, form)
|
expected = self.security_hash(request, form)
|
||||||
if constant_time_compare(token, expected):
|
return constant_time_compare(token, expected)
|
||||||
return True
|
|
||||||
else:
|
|
||||||
# Fall back to Django 1.2 method, for compatibility with forms that
|
|
||||||
# are in the middle of being used when the upgrade occurs. However,
|
|
||||||
# we don't want to do this fallback if a subclass has provided their
|
|
||||||
# own security_hash method - because they might have implemented a
|
|
||||||
# more secure method, and this would punch a hole in that.
|
|
||||||
|
|
||||||
# PendingDeprecationWarning <- left here to remind us that this
|
|
||||||
# compatibility fallback should be removed in Django 1.5
|
|
||||||
FormWizard_expected = FormWizard.security_hash(self, request, form)
|
|
||||||
if expected == FormWizard_expected:
|
|
||||||
# They didn't override security_hash, do the fallback:
|
|
||||||
old_expected = security_hash(request, form)
|
|
||||||
return constant_time_compare(token, old_expected)
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
@method_decorator(csrf_protect)
|
@method_decorator(csrf_protect)
|
||||||
def __call__(self, request, *args, **kwargs):
|
def __call__(self, request, *args, **kwargs):
|
||||||
|
|
Loading…
Reference in New Issue